Splunk Search

Invalid lookup table ?

szabados
Communicator

I want to use a lookup table, but every time, I add the command to my search "| lookup name_of_my_lookup", I'm getting the "Error in 'lookup' command: The lookup table 'name_of_my_lookup' does not exist or is not available. "

When I try to load the same lookup with "| inputlookup", it works fine, I see all the contents.
I didn't find any more detailed error message.

What am I doing wrong?


Update: without changing anything, the issue is gone now. The lookup works now as expected, but I would be still interested in understanding what went wrong, not to make the same mistake again in the future.

the_wolverine
Champion

I've also seen this happen with improperly formatted lookup files where there are missing columns.

Internally, you could search:
index=_internal source="/opt/splunk/var/log/splunk/splunkd.log" lookup table invalid

02-01-2018 15:41:44.309 -0800 WARN  SearchOperator:inputcsv - sid:searchparsetmp_741145440 The lookup table 'mylookup.csv' is invalid.

In this case the lookup file was missing a first column, e,g.

,field2,field3,field4
,cod,fish,tiger
,worm,bat,mouse

0 Karma

gcusello
Esteemed Legend

Hi szabados,
did you get global permissions both to your lookup File and Definitions?
Bye.
Giuseppe

jkat54
SplunkTrust
SplunkTrust

You need to add a lookup definition and make sure the permissions are correct on it. Without the definition you'll have to add .csv to the name when you use it.

Settings -> lookups -> lookup definition

jkat54
SplunkTrust
SplunkTrust

@szabados

It's likely the permissions / configurations hadn't replicated yet.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...